Django session cookie: from (any) other domain, check if user is logged in

Question

I have a domain domain1.com. The user logs in and a cookie is set. This is done using Django sessions.

I then go to another domain domain2.com. This domain runs javascript. From this javascript, I want to see if the user is logged into domain1.com.

Is this possible? Can I see a cookie belonging to domain1 from domain2? Or can I somehow via ajax make a call domain1 to check if the user is logged in?

Also, the user might originally have logged into domain1 from Chrome, but now they are accessing domain2 from another browser. Aren't cookies browser specific?

EDIT:

The real problem I am trying to solve? (re comment below): I have created a Chrome extension. When the user presses the extension icon from domain2, a javascript is run, which collects information from the page. This information needs to be sent to the user's account on domain1. Note that domain2 can be ANY domain, not one that I have created.

What I tried with AJAX and cookies.

set cookie from domain1:

response.set_cookie("user_cookie", value="somevalue", max_age=60*60, expires=None, path='/', domain=None, secure=None, httponly=False)

Create Python function, which is executed from domain1.com/checklogin:

@csrf_exempt
def is_logged_in(request):
    cookie = request.COOKIES.get('user_cookie') 
    if cookie is not None:
        return HttpResponse("1")
    else:
        return HttpResponse("0")

Go to domain1.com/checklogin -> The response is "1"

Call javascript from domain2 as follows:

var xmlHttp_1=new XMLHttpRequest();
xmlHttp_1.open("POST","http://domain1.com/checklogin/",false);
xmlHttp_1.send();
alert(xmlHttp_1.responseText);

The response here is, incorrectly, 0. It does not see the cookie created by domain1.

Note that domain1 is, at this point, localhost and domain2 is a real domain. Could this be the issue? It does properly call the function.

You might want to look into openId or an oauth solution, here's an [excellent post about cross browser sessions](http://dustinfarris.com/2012/2/sharing-django-users-and-sessions-across-projects/) — Hedde van der Heide, Apr 23 '13 at 07:43
Please don't completely change the question so that the answers are now irrelevant! Ask a new question instead. — Burhan Khalid, Apr 23 '13 at 13:04

score 2 · Answer 1 · answered Apr 23 '13 at 07:31

Is this possible? Can I see a cookie belonging to domain1 from domain2?

No. Cookies are restricted to domains (and their subdomains). A cookie for .foo.com is accessible to www.foo.com, zoo.foo.com but not bar.com.

Or can I somehow via ajax make a call domain1 to check if the user is logged in?

This is one way, yes and it will work.

Also, the user might originally have logged into domain1 from Chrome, but now they are accessing domain2 from another browser. Aren't cookies browser specific?

Yes, they are. If you are logged into Chrome, and you open Safari, you won't be logged in.

How do I get the ajax call to work? I have edited by answer to show what I have tried. — user984003, Apr 23 '13 at 10:44

score 1 · Answer 2 · edited May 23 '17 at 12:28

1

cookies are domain specific, you may share cookies between foo.example.com and bar.example.com but not between two domains. For work around, you need to send ajax request from domain two to domain one and check there if cookie as set and send response back to domain two.

Check this So question for reference: Setting default cookie domain for Django site with multiple domain names

edited May 23 '17 at 12:28

Community

1
1

answered Apr 23 '13 at 07:29

codefreak

6,950
3
42
51

I tried sending ajax request from domain2 to domain2 but it is not working. I edited my answer to show what I tried. Note that domain2 can be ANY domain, not one that I have created. – user984003 Apr 23 '13 at 10:53
it should be a jsonp request to make cross browser ajax request work – codefreak Apr 23 '13 at 12:51

Django session cookie: from (any) other domain, check if user is logged in

2 Answers2

Linked